Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a £40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passport’s microchip appears on screen.

This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.

Within seconds, in his university office in Amsterdam, Mr van Beek, 30, copies the contents of the microchip on to another chip, making a clone of the first. He launches some software called Golden Reader Tool – the International Civil Aviation Organisation (ICAO) standard kit for checking biometric passports – and the new chip is flagged up as authentic.

As amazing as this may seem, this is nothing new. A German computer academic called Lukas Grunwald first cloned chips from his country’s passports two years ago.

What is new and potentially devastating, however, is what comes next.

On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.

At first, Golden Reader refuses to authenticate the new, altered chips. A digital key signature, a certificate of authenticity, has been changed, and the reader is concerned. But Mr van Beek falls back on the work of Peter Gutmann, from Auckland University, New Zealand, who found a way to programme another key signature into the chip. The ICAO’s reader software now accepts both chips as genuine.

If we were criminals, we would have been able to create a passport in the name of a real person with a chip containing our biometrics – facial image, fingerprints and so on – and travel the world as that individual. When we presented our fake passport at borders, our image (and in EU passports issued from next June, fingerprints) would match those held in our supposedly secure biometric passports.

As identity theft goes, we could not have been more thorough. We have taken a tool designed to make an individual’s identity more secure, and changed it to validate our criminal activity. Of course, we would then need either genuine blank passports, like the 3,000 stolen on Monday last week, or fake passports – which these chips were supposed to have made obsolete – in which to put our clones.

The first electronic passports, or e-passports, were introduced by Malay-sia ten years ago. After the 9/11 attacks, the US told other countries that they would have to introduce biometric passports if they wanted to avoid their citizens having to apply for visas each time they travelled there. Now costing £72, they were first issued in Britain in March 2006. Implementa-tion cost about £250 million, all of which was funded by the public by way of passport fees. Each passport contains a radio frequency identification (RFID) chip with an antenna which, when contacted by a reader with the correct encrypted codes, bounces back the information it holds.

Among the computing and electronic privacy communities, this technology has been treated with suspicion. In the US, a special foil security cage had to be inserted into new passports when researchers managed to read chips from a distance of several feet.

In Britain, details held on one passport chip were read from inside a sealed envelope by Adam Laurie in response to Home Office claims that remote reading would be impossible.

Mr van Beek, whose research in Amsterdam University’s system and network department is sponsored by the accountancy firm KPMG, has even created a passport chip featuring the identity of Elvis Presley.

The Elvis passport has been accepted as genuine by a public e-passport reader at a Dutch town hall. Oddly, though, the Dutch Government later insisted that the reader was not designed to check the security features of passports.

There is a simple tool that could foil all this fakery, but the international community is failing to use it. The ICAO, a United Nations agency, set up a centralised database to combat cloning and faking 16 months ago called the Public Key Directory, or PKD. It is operated by a Singaporean company, Netrust, which beat seven others to win the contract.

Remember that replacement key certificate that Mr van Beek programmed into our passport chips? The PKD would flag that up if you tried to use your passport at the border of a country that was a member.

At present, key signature codes can be checked only if e-passport countries choose to swap details of those keys, one country at a time. The UK does this with thirty-five countries, leaving ten uncheckable. Under the PKD system, border readers would instantly send back details of the digital signature of the chip in the fake passport – and check it against codes supplied by the issuing country.

But of the forty-five countries with e-passports, only five – Australia, New Zealand, Singapore, the US and Japan – are using the PKD. Britain says that it hopes to start using it by the end of the year.

The ICAO wants all its 189 member countries eventually to introduce e-passports; if they don’t all join the PKD, security will be seriously compromised.

As far back as April 2006, the ICAO issued a report that said PKD membership should be “necessary . . . and not optional”. Publicly, the ICAO is unable to castigate individual member states. This week it said: “The PKD ensures that e-passports used at border control points . . . are genuine and unaltered. In effect, it renders the passport foolproof. For this to happen, however, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.”

Privately, however, ICAO officials are understood to be frustrated that billions of dollars have been spent on developing e-passports but the system is open to abuse because of the failure of nations to share microchip key signatures over the PKD.

Some e-passport countries are not yet ready, but officials fear that others simply do not like the idea of handing over data to nations that they do not trust.

Eckart Brauer, chairman of the ICAO board responsible for the directory, told The Times that he did not expect all countries to participate for at least another three years, and he cautioned that the failure of even one country to sign up could render the entire e-passport regime open to abuse.

“It is possible to copy all the data from the chip and put in data . . . but it is not possible to copy the signature, so checking that [against the PKD] is of the utmost importance,” he said.

Mr Laurie, the expert who first cracked the UK passport encryption and the founder of the website rfidiot. org, said that it was vital that all countries signed up to the directory.

He said: “If you are 99 per cent secure, then you are 100 per cent vulnerable, because that 1 per cent can be exploited.”

Times Recommends

• Don't despair: great players learn from defeat
• Pope clears way for Cardinal Newman sainthood
• Ecclestone: despots are underrated